Answered by:

Converting a Stand-alone Architecture to Config Manager Integrated

Question

We are currently planning a MBAM 2.5 proof of concept in our organization. we have split roles, myself in security, infrastructure and platform, which is the reasoning behind my question. Our platform team which owns config manager doesn't have a lot
of spare time. I would like to get started on this POC as soon as possible so am wondering;

Is it possible to take a stand alone architecture (2 server design- SQL DB server and Administration monitoring server) and later down the road integrate Config manager in to the mix. If so, how much extra work would it be to go this route, or is it
basically setting up config manager and fairly straight forward?

My reasoning behind this is if this inst' too much rework, we can stand up MBAM and test in a stand alone environment, then once time permits, we can integrate Config manager, swap over reporting to there, and continue testing with a full blown collection
build

If you go to CM integrated later, you will lose all of your compliance data that you have accrued. It will repopulate in CM instead of standalone as machines check in. When you make the switch, back up your compliance data from SSRS in standalone
so that you can use it if you need to while you wait for machines to check into CM.

@GlennHoppy,

You can install MBAM on machines that are already encrypted. The first time MBAM wakes up, it will reset and re-escrow the key to get it into a known good state. There is no negative impact. The only time a user would see a popup is if
they were out of compliance with your policies. Make sure that you remove any BitLocker policies you have and only configure the Bitlocker policies via the MBAM GPO node or you will have problems.

From the documentation i have researched so far the overall configuration doesn't appear to be to much work at all so a complete rework doesn't scare me too bad seeing as how its a throw away POC anyway. It is nice to hear though that integrating Config
Manger later inst' a big deal

I have a question regarding an already implemented Bitlocker "home grown" method. Bitlocker was implemented using scripts and manage-bde.exe. All the keys are stored in a secure location on a file share and a scheduled task runs every Monday
to report on status. This does not work well with our Compliance dept. as the reporting is... well, archaic. We are migrating from SCCM 2007 to 2012 this year. I would like to implement MBAM 2.5 then integrate into SCCM later.

Are there any repercussions in implementing MBAM on machines that are already configured with Bitlocker? I guess I'm not familiar enough as to whether it will negatively impact Bitlocker as it has already checked in with the TPM and created the recovery
keys. Can MBAM recreate the keys and reconfigure the TPM via GPO without any negative impact?

"If a machine is already BitLocker-encrypted before the MBAM client is installed, then when the MBAM client is installed, the recovery key is extracted from the machine’s local store and sent to the MBAM SQL Server database."

If you go to CM integrated later, you will lose all of your compliance data that you have accrued. It will repopulate in CM instead of standalone as machines check in. When you make the switch, back up your compliance data from SSRS in standalone
so that you can use it if you need to while you wait for machines to check into CM.

@GlennHoppy,

You can install MBAM on machines that are already encrypted. The first time MBAM wakes up, it will reset and re-escrow the key to get it into a known good state. There is no negative impact. The only time a user would see a popup is if
they were out of compliance with your policies. Make sure that you remove any BitLocker policies you have and only configure the Bitlocker policies via the MBAM GPO node or you will have problems.

Microsoft is conducting an online survey to understand your opinion of the Technet Web site. If you choose to participate, the online survey will be presented to you when you leave the Technet Web site.